TMO Reports - Cutting Through the OS X Security Rhetoric
by , 2:45 PM EDT, May 2nd, 2006
Much has been written about future, potential problems with OS X security, but so far no widespread documented issues have occurred. On the heels of Monday's report from The SANS Institute that Mac OS X vulnerabilities are on the rise, The Mac Observer took a look at some of the recent rhetoric surrounding the operating system's security.
With Apple launching a new series of TV ads, one of which touts the fact that Mac OS X is virus-free, it seems that the company will also need to combat some of the misinformation being spread by the media, as well as deal with accusations that it's not responding fast enough to vulnerabilities when they're reported.
For example, an Associated Press story that ran on CNN's Web site on Monday described a computer user named Benjamin Daines who had "clicked on a series of links that promised pictures of an unreleased update to his computer's operating system." According to the article, "a window opened on the screen and strange commands ran as if the machine was under the control of someone -- or something -- else."
The promised pictures of an unreleased OS X update sounded like the OSX/Leap-A Trojan horse that hit the Internet in February. While it affected very few users, it did prompt media reports that OS X was on the verge of suffering the same problems that have been plaguing the Windows world for the past several years.
When contacted for comment, Johannes B. Ullrich of The SANS Institute took exception with the attack being characterized as a virus, but he did say that it "sounds very much like the 0-day from earlier this year. The exploit would wrap a shell script inside an archive file, which would auto execute as the user access it via Safari. The user would typically see a command shell pop up."
He added: "We did see a number of uses of this exploit. I wouldn't characterize them as a virus, as they didn't self-replicate. They fall more in the category of 'bots' as they will then connect back to some kind of command and control server to allow the attacker to execute additional commands.
"Such a bot would be able to perform any action the user would be permitted to perform. For example, the bot would be able to connect to network services, send e-mail or modify/delete files owned by the user."
Apple Responding in a Microsoft-Like Manner?
Tom Ferris, a security researcher whose uncovering of five OS X vulnerabilities was publicized by Secunia last week, agreed with Mr. Ullrich's assessment when contacted via e-mail. He was also featured in that Associated Press story, warning that Apple's slowness to respond to security issues reminded him of Microsoft's attitude three years ago. ""They didn't know how to deal with security, and I think Apple is in the same situation now," he was quoted as saying.
An Apple spokeswoman told the AP reporter that Apple will fix the vulnerabilities reported by Mr. Ferris in its next OS X update. She also said that the issues wouldn't enable someone to execute code on a Mac and in fact haven't been exploited in any real world situations that the company is aware of.
Mr. Ferris, however, told The Mac Observer that it took Apple three attempts to fix a core vulnerability in Safari, and it's possible that that flaw is what was exploited in Mr. Daines' situation. He did add, though, that he would expect a malware author to "code the exploit in a way where you would not see anything pop up on your screen. It would just install his malware in the background, under the context of the logged in user."
Give and Take
Elsewhere on the Web, the recent flurry of OS X security talk prompted tech-oriented editorials on both sides of the issue. In a Washington Post blog, for example, Brian Krebs assembled an exhaustive list of the security patches issued by Apple over the past two years and found that the company averaged 91 days to fix each one. He wasn't able to determine the length of time for a fix for all of them, however, because in some cases either Apple or the researcher who found it wouldn't divulge a date.
Mr. Krebs started the project in January and was initially rebuffed by Apple when he asked to speak to someone there about it. Eventually, though, the company allowed him to talk to Bud Tribble, its vice-president of software technology, who said that the lag time between a vulnerability's discovery and a patch has a lot to do with the QA process. "[A Mac user] simply expects things to work with single button click, and that means we have to take time to do that correctly," he said.
Mr. Tribble also pointed out that Apple averaged around 50 days to patch the most critical bugs, although Mr. Krebs noted that the company wouldn't give discovery dates for about a third of them, so it wasn't possible to obtain independent confirmation of that figure. The Apple executive did say, however, that the company wants to improved its turnaround time for security fixes.
While it's obvious that Mac OS X is currently a more secure and stable operating system than Windows XP, several of the security experts contacted by Mr. Krebs felt that hackers are starting to pay more attention to it by virtue of Apple's higher profile, which could lead to an onslaught of malware that users aren't ready to counter. One also noted that with cracked copies of OS X running on cheap PCs, malware authors also now have an inexpensive way to develop their exploits.
Not everyone is crying fire at the first sign of smoke, however. Scott Bradner on Monday published a column at Network World in which he noted: "There have been a few actual OS X attacks found in the wild (that is, the software is being used, not just a security-expert exercise) but not many. Last I read, there were fewer than five, compared with many thousands for Windows (even if many were exploiting the same underlying vulnerabilities)."
"OS X is not going to be vulnerability-free," he concluded, "but I do expect it to show significantly fewer vulnerabilities than Windows has. That does not mean OS X users can ignore security -- at the very least, enable the built-in personal firewall -- but it does mean you should not stay with Windows because you think it will be safer."